- Find Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- Add field post stats and transpose commands
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I want my data presented in a very specific way, which means I can't go the typical route of just adding the field I want presented after the by in my stats command as I'm using transpose on the header fields.
I can't use eventstats because that completely messes up my stats table.
This is the search:
| datamodel Test summariesonly=true search
| search "TEST.date"=2021-05-18| rename "TEST.date" as date
| rename "TEST.uri_path" as uri_path
| eval category=case(like(uri_path, "/url1), "highPriority", uri_path="/url2", "unattended",
uri_path="/url3, "lowPriority", uri_path="/url4", "largePayload")
| rename "TEST.response_time" as response_time
| stats avg(response_time) by category
| rename avg(response_time) as averageResponse
| eval averageResponse=round(averageResponse,3)
| transpose 0 header_field=category
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| fields highPriority, lowPriority, largePayload, unattended, date
I want to be able to fill my date field with the previously defined date field
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, datebut I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with
| eval date=$date|s$or you could do this after the round
| eval averageResponse=round(averageResponse,3)
| append [
| makeresults
| fields - _time
| eval category="date", averageResponse="2021-05-18"
]again, depending on where your condition is coming from, the same issue applies.
Note a couple of tips for your existing SPL.
You can do this
| rename "TEST.*" as *and
| stats avg(response_time) as averageResponse by categoryso you don't have to do the other separate renames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So, where does your hard-coded string "2021-05-18" come from - if it really is just hard coded, you could just do
| fillnull value=0 highPriority, lowPriority, largePayload, unattended
| eval date="2021-05-18"
| fields highPriority, lowPriority, largePayload, unattended, datebut I suspect it's not, so if your condition is coming from a token, e.g. $date$, then you could still do the same, with
| eval date=$date|s$or you could do this after the round
| eval averageResponse=round(averageResponse,3)
| append [
| makeresults
| fields - _time
| eval category="date", averageResponse="2021-05-18"
]again, depending on where your condition is coming from, the same issue applies.
Note a couple of tips for your existing SPL.
You can do this
| rename "TEST.*" as *and
| stats avg(response_time) as averageResponse by categoryso you don't have to do the other separate renames
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It is a token, so thank you but something weird happens when I have the command | eval date-$date
It comes up in my table as 1998 and I have no idea why because the correlating values from my first enterance of that date is accurate.
Please advise
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Figured it out, I needed quotations around the token or it would have taken it as a mathematical expression
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Note the syntax I used in my original regarding use of tokens
| eval date=$date|s$The |s (pipe s) before the closing $ sign is an instruction to the token handler as to how to represent the token.
See this link
https://docs.splunk.com/Documentation/Splunk/8.2.0/Viz/tokens#Syntax_to_consume_tokens
which shows what | token commands are available and how they affect token usage.
Using this
| eval date="$date$"is the same when using the token in a dashboard, but there are subtle differences in how the |s syntax works compared to simple quoting when using the token in Javascript.
Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!
Transform your security operations with Splunk Enterprise Security
Splunk Admins and App Developers | Earn a $35 gift card!
